WebSphere® Application Server depends on several
configuration files that are created during installation.
These files contain password information and need protection. Although
the
files are protected to a limited degree during installation, this
basic level
of protection is probably not sufficient for your site. You should
verify
that these files are protected in compliance with the policies of
your site.
Before you begin
Note: A Kerberos keytab configuration file contains
a list of keys
that are analogous to user passwords. The default keytab file is krb5.keytab.
It is important for hosts to protect their Kerberos keytab files by
storing
them on the local disk, which makes them readable only by authorized
users.
The files
in
the app_server_root/profiles/profile_name/config and app_server_root/profiles/profile_name/properties need
protection. For example, give permission to the user who logs onto
the system
for WebSphere Application Server primary
administrative tasks. Other users or groups, such as WebSphere Application Server console users
and console groups need permissions as well.
The files in the WAS_HOME/config and
the WAS_HOME/properties directories need protection.
For example,
give permission to the user who logs onto the system for WebSphere Application Server primary administrative
tasks. Other users or groups, such as WebSphere Application Server console users
and console groups need permissions as well.
The files in the
WAS_HOME/properties directory
that must be readable by everybody are:
- TraceSettings.properties
- client.policy
- client_types.xml
- ipc.client.props
- sas.client.props
- sas.stdclient.properties
- sas.tools.properties
- soap.client.props
- wsadmin.properties
- wsjaas_client.conf
The
value for WAS_HOME directory
is specified in the WebSphere z/OS® Profile
Management Tool or the zpmt command
when WebSphere Application Server for z/OS is
installed, for both the base product and WebSphere Application Server, Network Deployment.
Procedure
- Secure
files
on a Windows® system:
- Open
the browser for a view of the files and directories on
the machine.
- Locate and right-click the
file or the directory that you want
to protect.
- Click Properties.
- Click the Security tab.
- Remove the Everyone entry and any other user
or group
that you do not want to have access to the file.
- Add the users who can access the files with the proper
permission.
- Secure
files
on UNIX® systems. This procedure applies
only to the ordinary UNIX file system. If your site
uses access-control
lists, secure the files by using that mechanism. Any site-specific
requirements
can affect the owner, group, and corresponding privileges; for example,
on
the AIX® platform.
- Go
to the install_root directory and change
the ownership of the directory configuration and properties to the
user who
logs onto the system for WebSphere Application Server primary administrative
tasks. Run the following command: chown -R logon_name directory_name
Where:
- login_name is a specified user or group
- directory_name is
the name of the directory that contains the files
It
is recommended that you assign ownership of the files that
contain password information to the user who runs the application
server.
If more than one user runs the application server, provide permission
to the
group in which the users are assigned in the user registry.
- Set up the permission by running the following
command: chmod
-R 770 directory_name.
- Go
to the app_server_root/profiles/profile_name/properties directory
and set the file permissions. Set the access permissions
for the
following files as it pertains to your security guidelines:
- TraceSettings.properties
- client.policy
- client_types.xml
- ipc.client.props
- sas.client.props
- sas.stdclient.properties
- sas.tools.properties
- soap.client.props
- wsadmin.properties
- wsjaas_client.conf
For example, you might
issue the following command: chmod 770 file_name where file_name is
the name of the file listed previously in the install_root/profiles/profile_name/properties directory.
These files contain sensitive information such as passwords.
Note: If
you enabled Kerberos authentication or SPNEGO web authentication,
set the
access permissions for the following files as it pertains to your
security
guidelines: the Kerberos configuration file (krb5.conf or krb5.ini)
and the Kerberos keytab file.
- Create
a group for WebSphere Application Server and
put
the users who perform full or partial WebSphere Application Server administrative
tasks in that group.
- If you want to use WebSphere MQ as a Java Messaging
Service (JMS) provider, restrict access to the /var/mqm directories
and log files used. Give write access to the user ID mqm or members
of the
mqm user group only.
- Secure files
on WebSphere Application Server for z/OS systems.
- Use the WebSphere z/OS Profile
Management Tool or the zpmt command
and follow the generated instructions to customize your system.
The
customization jobs that are generated perform the following functions:
- Create System Authorization Facility (SAF) WebSphere Application Server user
IDs that are needed for administrator and server processes.
- Create
a SAF WebSphere Application Server configuration
group
and add the SAF WebSphere Application Server user
IDs.
- Provide a mapping from a Java 2,
Enterprise Edition (J2EE) principal
to SAF user ID. You can generate a sample mapping module or you can
specify
one that you created yourself.
- Associate WebSphere Application Server-started tasks
with the SAF user IDs and groups that are defined previously.
- Populate
the file system with the system and property files that are needed
to run WebSphere Application Server.
- Change
the ownership of these files to the WebSphere Application Server administrator.
- Create the appropriate file permissions.
All files
in the
WAS_HOME/config directory must
have write and read access by all the members of the
WebSphere Application Server configuration
group, but must not be accessible by everyone (mode 770). All files
in the
WAS_HOME/properties directory
must have write and read access by all the members of the
WebSphere Application Server configuration
group. Set the access permissions for the following files
as it pertains to your security guidelines:
- TraceSettings.properties
- client.policy
- client_types.xml
- ipc.client.props
- sas.client.props
- sas.stdclient.properties
- sas.tools.properties
- soap.client.props
- wsadmin.properties
- wsjaas_client.conf
For example, you might issue the following command:
chmod
775 file_name.
file_name is
the name of the file listed previously. These files contain sensitive
information
such as passwords.
Note: If you enabled Kerberos authentication
or SPNEGO
web authentication, set the access permissions for the following files
as
it pertains to your security guidelines: the Kerberos configuration
file (krb5.conf or krb5.ini)
and the Kerberos keytab file.
- Add
administrators who perform full or partial WebSphere Application Server administration
tasks to the configuration group.
- Restrict
access to the /var/mqm directories and the
log files that are needed for WebSphere Application Server embedded
messaging or WebSphere MQ
as the JMS provider. Give write access only to the mqm user ID or
members
of the mqm user group.
Results
After securing your environment, only the
users with permission can
access the files. Failure to adequately secure these files can lead
to a breach
of security in your WebSphere Application Server applications.
What to do next
If failures occur that are caused by file accessing permissions,
check the permission settings.